kinitiras
所属分类:微服务
开发工具:GO
文件大小:204KB
下载次数:0
上传日期:2023-04-13 09:02:24
上 传 者:
sh-1993
说明: 一种用于k8s接纳webhook的可编程规则引擎
(A programmable rule engine for k8s admission webhook)
文件列表:
Dockerfile (25, 2023-08-02)
LICENSE (11357, 2023-08-02)
Makefile (4720, 2023-08-02)
ROADMAP.md (483, 2023-08-02)
check_label.py (1608, 2023-08-02)
cmd (0, 2023-08-02)
cmd\app (0, 2023-08-02)
cmd\app\options (0, 2023-08-02)
cmd\app\options\options.go (6022, 2023-08-02)
cmd\app\options\options_test.go (3565, 2023-08-02)
cmd\app\options\validation.go (640, 2023-08-02)
cmd\app\options\validation_test.go (1578, 2023-08-02)
cmd\app\webhook.go (11482, 2023-08-02)
deploy (0, 2023-08-02)
deploy\deploy.yaml (1996, 2023-08-02)
deploy\monitor.yaml (327, 2023-08-02)
deploy\namespace.yaml (65, 2023-08-02)
deploy\rbac.yaml (511, 2023-08-02)
deploy\secret.yaml (254, 2023-08-02)
deploy\webhook-configuration.yaml (1424, 2023-08-02)
docs (0, 2023-08-02)
docs\images (0, 2023-08-02)
docs\images\kinitiras.png (131458, 2023-08-02)
examples (0, 2023-08-02)
examples\addanno-cop.yaml (749, 2023-08-02)
examples\addanno-op.yaml (466, 2023-08-02)
examples\deletens-cvp.yaml (596, 2023-08-02)
... ...
# kinitiras
![kinitiras-logo](https://github.com/k-cloud-labs/kinitiras/blob/master/docs/images/kinitiras.png)
[![Build Status](https://github.com/k-cloud-labs/kinitiras/blob/master/https://github.com/k-cloud-labs/kinitiras/actions/workflows/ci.yml/badge.svg)](https://github.com/k-cloud-labs/kinitiras/blob/master/https://github.com/k-cloud-labs/kinitiras/actions?query=workflow%3Abuild)
[![codecov](https://github.com/k-cloud-labs/kinitiras/blob/master/https://codecov.io/gh/k-cloud-labs/kinitiras/branch/main/graph/badge.svg?token=74uYpOiawR)](https://github.com/k-cloud-labs/kinitiras/blob/master/https://codecov.io/gh/k-cloud-labs/kinitiras)
[![Go Report Card](https://github.com/k-cloud-labs/kinitiras/blob/master/https://goreportcard.com/badge/github.com/k-cloud-labs/kinitiras)](https://github.com/k-cloud-labs/kinitiras/blob/master/https://goreportcard.com/report/github.com/k-cloud-labs/kinitiras)
[![Go doc](https://github.com/k-cloud-labs/kinitiras/blob/master/https://img.shields.io/badge/go.dev-reference-brightgreen?logo=go&logoColor=white&style=flat)](https://github.com/k-cloud-labs/kinitiras/blob/master/https://pkg.go.dev/github.com/k-cloud-labs/kinitiras)
[[中文](https://github.com/k-cloud-labs/kinitiras/blob/master/README-zh.md)]
A **lightweight** but **powerful** and **programmable** rule engine for kubernetes admission webhook.
If you want to use it in clientside with client-go, please use [pidalio](https://github.com/k-cloud-labs/kinitiras/blob/master/https://github.com/k-cloud-labs/pidalio).
## Quick Start
### Add Helm source
```shell
helm repo add k-cloud-labs https://k-cloud-labs.github.io/helm-charts
```
### Install
All resources will be applied to `kinitiras-system` namespace by default. You can modify the deployment files as your expect.
Pay attention to the deploy/webhook-configuration.yaml file. The default config will mutate and validate all kubernetes resources filtered by label `kinitiras.kcloudlabs.io/webhook: enabled`.
**_YOU NEED TO UPDATE THE RULES AS YOUR EXPECT TO MINIMIZE THE EFFECTIVE SCOPE OF THE ADMISSION WEBHOOK._**
After all changes done, just apply it to your cluster.
```shell
helm install kinitiras-webhook k-cloud-labs/kinitiras --namespace kinitiras-system --create-namespace
```
### Create policy
Three kind of policy are supported.
`OverridePolicy` is used to mutate object in the same namespace.
`ClusterOverridePolicy` is used to mutate object in any namespace.
`ClusterValidatePolciy` is used to validate object in any namespace.
For cluster scoped resource:
- Apply ClusterOverridePolicy by policies name in ascending;
For namespaced scoped resource, apply order is:
- First apply ClusterOverridePolicy;
- Then apply OverridePolicy;
Both mutate and validate policy are programmable via [CUE](https://github.com/k-cloud-labs/kinitiras/blob/master/https://cuelang.org/).
### Constraint
1. The kubernetes object will be passed to CUE by `object` parameter.
2. The mutating result will be returned by `patches` parameter.
3. The Validating result will be returned by `validate` parameter.
4. Use `processing` to support data passing. It contains `http` and `output` schema.
1. `http` used to make a http(s) request. Refer to: [http](https://github.com/k-cloud-labs/kinitiras/blob/master/https://pkg.go.dev/cuelang.org/go/pkg/tool/http)
2. `output` used to receive response. You should add some properties you need to it.
Schema:
```cue
// for input parameter, oldObject only exist in `UPDATE` operation for clustervalidatepolicy
object: _ @tag(object)
oldObject: _ @tag(oldObject)
// use processing to pass data. A http reqeust will be make and output contains the response.
processing: {
output: {
// add what you need
}
http: {
method: *"GET" | string
url: parameter.serviceURL
request: {
body ?: bytes
header: {}
trailer: {}
}
}
}
patch: {
op: string
path: string
value: string
}
// for mutating result
patches: [...patch]
// for validating result
validate: {
reason?: string
valid: bool
}
```
## Examples
You can try some examples in the example folder.
The `deletens-cvp.yaml` will protect the namespace labeled with `kinitiras.kcloudlabs.io/webhook=enabled` from being deleted.
The `addanno-op.yaml` will add annotation `added-by=op` to pod labeled with `kinitiras.kcloudlabs.io/webhook=enabled` in the default namespace.
The `addanno-cop.yaml` will add annotation `added-by=cue` to pod labeled with `kinitiras.kcloudlabs.io/webhook=enabled` in the default namespace.
## Feature
- [x] Support mutate k8s resource by (Cluster)OverridePolicy via plaintext jsonpatch.
- [x] Support mutate k8s resource by (Cluster)OverridePolicy programmable via CUE.
- [x] Support validate k8s resource by ClusterValidatePolicy programmable via CUE.
- [x] Support Data passing by http request via CUE.
- [ ] kubectl plugin to validate CUE.
- [ ] ...
For more detail information for this project, please read the [roadmap](https://github.com/k-cloud-labs/kinitiras/blob/master/./ROADMAP.md).
近期下载者:
相关文件:
收藏者: